AWS ECS Fargate: how to to Access Secrets Manager Using IAM Roles for Tasks
I'm prototyping a solution and This might be a silly question, but I've been banging my head against this for hours... I am currently working with an scenario with my AWS ECS Fargate task where it want to access AWS Secrets Manager to retrieve credentials. I have set up an IAM role specifically for the task with the following policy: ```json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret" ], "Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:my-secret-*" } ] } ``` The task definition is configured to use this role, and I am passing the secret name as an environment variable in my container: ```json "containerDefinitions": [ { "name": "my-container", "image": "my-image:latest", "essential": true, "environment": [ { "name": "MY_SECRET_NAME", "value": "my-secret-name" } ] } ] ``` However, when I attempt to run the task, it exits with the following behavior message: ``` An behavior occurred (AccessDeniedException) when calling the GetSecretValue operation: User: arn:aws:sts::123456789012:assumed-role/my-task-role/my-task-id is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:us-west-2:123456789012:secret:my-secret-name because no identity-based policy allows the secretsmanager:GetSecretValue action ``` I've double-checked that the task role is correctly associated with the Fargate task and that the secret ARN in the policy matches the one I am trying to access. I've also made sure that the ECS service has the correct IAM role attached. Is there something I may be missing with the IAM permissions, or is there an additional configuration step needed to allow my Fargate task to access Secrets Manager? Any insights would be greatly appreciated. For context: I'm using Json on Ubuntu. Am I missing something obvious? This is part of a larger web app I'm building. What am I doing wrong?